Instead, the number of attack commands sent to its network of infected devices increased in the months afterward.<\/p>\n
The findings underscore how difficult it is for law enforcement to dismantle decentralized cyber groups that rely on ideology, small financial incentives and thousands of ordinary users turning their own devices into attack tools.<\/p>\n
\t\t\t\t![\"](\"https:\/\/www.europesays.com\/russia\/wp-content\/uploads\/2026\/04\/Image2-1.png\")
<\/p>\n
\t\t\t\t\t\t\t\t\t\t\t\t\tScreenshot<\/p>\n
One of the group\u2019s most visible campaigns came during Denmark\u2019s municipal elections in November 2025. Fearing disruptions, local authorities installed<\/a> backup generators, printed paper voter lists and bought camping lanterns for polling stations in case of outages.<\/p>\n The precautions followed<\/a> waves of cyberattacks that temporarily disrupted Danish government websites, political parties, municipal administrations, police services, railway operators and a defense company.<\/p>\n Responsibility was claimed by NoName057(16), which had warned in a private channel days earlier that Denmark would be its next target.<\/p>\n The hackers said Denmark was targeted because politicians had increased support for Ukraine during the election campaign.<\/p>\n The attacks were limited to DDoS operations, in which massive volumes of artificial traffic are directed at websites until they become overloaded and stop responding. Such attacks rarely cause permanent damage, but they can disrupt services for hours or days and create significant public alarm.<\/p>\n Most Danish websites were quickly restored and the elections were not disrupted. Still, Denmark\u2019s military intelligence service later confirmed<\/a>\u00a0NoName057(16) was responsible.<\/p>\n \u201cThe Russian state uses the group as a tool of its hybrid war against the West,\u201d the intelligence service said. \u201cThe goal is to create instability in targeted countries and punish those that support Ukraine.\u201d<\/p>\n NoName057(16) first appeared in March 2022, weeks after Russia launched its full-scale invasion of Ukraine.<\/p>\n Initially focused on Ukrainian media and government websites, it later expanded across Europe and beyond, targeting countries that support Kyiv, including the U.S., Canada, Israel and Taiwan.<\/p>\n Its manifesto closely mirrors Kremlin narratives, accusing the West of \u201crussophobia,\u201d censorship and support for what it calls \u201cUkrainian terrorists.\u201d The group frames its attacks as retaliation against anti-Russian policies and defense of \u201ctraditional values.\u201d<\/p>\n In 2026, its campaigns were tied to events including the Milan-Cortina Winter Olympics<\/a>, new Western military aid packages for Ukraine and the escalation<\/a> of conflict between Israel and Iran. During the Israeli-Iranian confrontation, the hackers attacked Israeli websites and described their actions as solidarity with Iran, echoing Russian state messaging.<\/p>\n The group\u2019s operations rely on software called DDoSia, which experts say is simple enough for non-specialists to install.<\/p>\n RKS.Global researchers downloaded and analyzed the program for Vot Tak. Available for Windows, Linux, macOS and Android, it can be installed on phones, computers and even routers.<\/p>\n Once installed, the software effectively turns the device into a participant in cybercrime.<\/p>\n Users do not choose targets themselves. NoName057(16) administrators send attack configurations from rented control servers, specifying which domains or IP addresses should be hit. After receiving those instructions, the infected device automatically begins generating traffic against the selected targets.<\/p>\n To join, users contact administrators through a Telegram bot, receive an access key and server address, enter the data into the program and press \u201cStart.\u201d From then on, the process is largely automatic.<\/p>\n According to RKS.Global, a single infected device can generate hundreds of thousands or even millions of requests per day. When combined across thousands of devices, the traffic creates serious DDoS threats.<\/p>\n \t\t\t\t \t\t\t\t\t\t\t\t\tScreenshots of recruitment ads on Telegram. The simplicity of the system has helped NoName057(16) recruit widely.<\/p>\n The group runs a closed Telegram support chat called DDoSia Project, where participants receive technical help, instructions and access to a reward system based on an internal currency called dCoin.<\/p>\n Participants earn dCoins depending on the number of \u201csuccessful\u201d requests sent during attacks. The more traffic their devices generate, the more they are paid.<\/p>\n For example, 500,000 successful requests per day can earn 50 dCoin. One dCoin is worth 2 rubles, or about 2.4 U.S. cents, and can be converted into the TON cryptocurrency and later into cash.<\/p>\n Users can increase earnings by installing the software on multiple devices or recruiting others through referral links. The system also includes military-style ranks such as private, sergeant and colonel, with the highest level called \u201cGeneral Dosi.\u201d<\/p>\n Telegram advertisements promote the project as both easy money and patriotic duty.<\/p>\n Messages reviewed by Vot Tak promised users they could \u201ccarry out DDoS attacks and earn money,\u201d \u201clearn hacking in 15 minutes\u201d or \u201chelp Russia on the information front and get rewarded.\u201d They do not mention that DDoS attacks are criminal offenses, including under Russian law.<\/p>\n European authorities launched<\/a> Operation Eastwood in July 2025 in a coordinated attempt to dismantle NoName057(16) involving 12 countries and coordinated by Europol.<\/p>\n Authorities seized more than 100 servers, carried out 24 searches, issued seven arrest warrants and questioned 13 individuals. Three suspects were arrested in France<\/a>, Spain<\/a> and Poland.<\/p>\n Five Russian citizens were added to Europol\u2019s most wanted list. More than 1,000 suspected supporters, including Telegram administrators, also received warnings about criminal liability.<\/p>\n While authorities said they had dismantled the group\u2019s infrastructure,\u00a0data analyzed by Vot Tak and RKS.Global showed the attacks resumed within days and overall activity increased.<\/p>\n The group sent an average of about 6,300 attack commands per month before Eastwood, compared to an average of 7,708 afterward.<\/p>\n In the eight months before the operation, researchers recorded 56,231 attack commands. In the eight months after, from July 2025 to March 2026, they counted 61,666.<\/p>\n From late October 2025 to mid-March 2026, NoName057(16) claimed 1,530 successful operations, about 300 per month.<\/p>\n \t\tnews \t\t\t\tRussian Hackers ‘Targeting Messaging Apps,’ Dutch Spy Agency Says Vot Tak verified that at least some of those attacks were genuine, with targeted websites temporarily inaccessible. Several affected companies and local administrations also confirmed experiencing DDoS disruptions.<\/p>\n Government websites accounted for nearly one-third of identified targets, according to RKS.Global. Financial institutions, transport and logistics companies, municipalities and telecom operators were also frequent victims.<\/p>\n Germany became one of the group\u2019s main targets after Operation Eastwood, with hackers openly describing attacks there as revenge for the crackdown.\u00a0<\/p>\n Poland was also repeatedly targeted, including ministries, city governments, transport systems, defense contractors and industrial facilities.<\/p>\n Poland\u2019s Digital Affairs Ministry told Vot Tak that the real damage remained limited and said such groups often exaggerate their success online to appear more effective than they are.<\/p>\n Europol identifies 39-year-old Mikhail Burlakov<\/a> and 36-year-old Maxim Lupin<\/a> as the main coordinators of NoName057(16), accusing them of developing and maintaining DDoSia and paying for the servers used by the network.<\/p>\n Both men are believed to live in Moscow and both hold senior positions at the state-run Center for the Study and Network Monitoring of the Youth Environment (CISM), according to leaked records reviewed by Vot Tak.<\/p>\n Officially, CISM monitors harmful online content such as cyberbullying and criminal subcultures. But Vot Tak previously reported<\/a> that one of its functions was compiling denunciations against Russians for online comments.<\/p>\n Lupin serves as CISM\u2019s general director, while Burlakov is his deputy.<\/p>\n Both men denied involvement.<\/p>\n Burlakov said European authorities had \u201cdragged random people into completely unclear criminal cases\u201d and blamed what he called Western bias and russophobia.<\/p>\n A Telegram account linked to Lupin\u2019s phone number also denied knowledge of NoName057(16), calling Europol\u2019s accusations \u201csome kind of mistake.\u201d<\/p>\n Dismantling groups like NoName057(16) is difficult because they are run by professionals who know how to hide infrastructure, mask IP addresses and quickly restore operations if key members remain free, cybersecurity expert Leonid Yuldashev told Vot Tak.<\/p>\n Still, he said police actions like Operation Eastwood are not meaningless, as they can expose infrastructure, identify devices, provide access to internal communications and disrupt finances.<\/p>\n \u201cIt also had symbolic value,\u201d Yuldashev said. \u201cIt clearly showed the group that it is being targeted.\u201d<\/p>\n He said the most effective long-term defense is broader use of DDoS protection systems that filter malicious traffic before it reaches target servers.<\/p>\n Around 80% of websites already have some level of protection, he said, and the remaining 20% remain highly vulnerable.<\/p>\n \u201cThat is still a very large number,\u201d Yuldashev said. \u201cAttackers can find such resources automatically.\u201d<\/p>\n A Message from The Moscow Times:<\/p>\n Dear readers,<\/p>\n We are facing unprecedented challenges. Russia’s Prosecutor General’s Office has designated The Moscow Times as an “undesirable” organization, criminalizing our work and putting our staff at risk of prosecution. This follows our earlier unjust labeling as a “foreign agent.”<\/p>\n These actions are direct attempts to silence independent journalism in Russia. The authorities claim our work “discredits the decisions of the Russian leadership.” We see things differently: we strive to provide accurate, unbiased reporting on Russia.<\/p>\n We, the journalists of The Moscow Times, refuse to be silenced. But to continue our work, we need your help<\/a>.<\/p>\n Your support, no matter how small, makes a world of difference. If you can, please support us monthly starting from just $2. It’s quick to set up, and every contribution makes a significant impact.<\/p>\n By supporting The Moscow Times, you’re defending open, independent journalism in the face of repression. Thank you for standing with us.<\/p>\n \n\t\t\t\tContinue\n\t\t\t<\/p>\n \t\t\t\t Not ready to support today? \u00d7<\/p>\n \t\tRemind me next month<\/p>\n \n\t\t\tThank you! Your reminder is set.\n\t\t<\/p>\n![\"
Screenshots](\"https:\/\/www.europesays.com\/russia\/wp-content\/uploads\/2026\/04\/uid_e1228be9b2ee4a7a8409ab6960a1778c_width_1025_play_0_pos_0_gs_0_height_0.png\")
<\/p>\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\tVot Tak<\/p>\n
\n\t\t<\/p>\n
\n\t\t\tRead more
\n\t\t<\/a><\/p>\n![\"paiment](\"https:\/\/www.europesays.com\/russia\/wp-content\/uploads\/2026\/04\/1775844130_930_payment_icons.png\"){kind=icon}
<\/p>\n
Remind me later.<\/p>\n